Security Bulletin: Multiple Vulnerabilities in IBM Application Performance Management

Summary

Multiple vulnerabilities were addressed in IBM Application Performance Management 8.1.4.0 IF16 patch

Vulnerability Details

CVEID:CVE-2023-32342
**DESCRIPTION:**IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 255828.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255828 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2012-6153
**DESCRIPTION:**Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by an incomplete fix related to the failure to verify that the server hostname matches a domain name in the Subject’s Common Name (CN) or SubjectAltName field of certificates. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/95328 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2014-3577
**DESCRIPTION:**Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the Subject’s Common Name (CN) or SubjectAltName field of certificates. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/95327 for the current score.
CVSS Vector:

CVEID:CVE-2011-1498
**DESCRIPTION:**Apache HttpComponents could allow a remote attacker to obtain sensitive information, caused by an unspecified error in HttpClient. An attacker could exploit this vulnerability to send the Proxy-Authorization header to the host and disclose the user’s password.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/66241 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID:CVE-2020-13956
**DESCRIPTION:**Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189572 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2016-5000
**DESCRIPTION:**Apache POI could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when XLSX2CSV example uses Java’s XML components to parse OpenXML files. An attacker could exploit this vulnerability using an XML document containing an external entity reference to read arbitrary files on the system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/115530 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID:CVE-2019-12415
**DESCRIPTION:**Apache POI could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data by tool XSSFExportToXml. By sending a specially-crafted document, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170015 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2017-5644
**DESCRIPTION:**Apache POI is vulnerable to a denial of service, cause by an XML External Entity Injection (XXE) error when processing XML data. By using a specially-crafted OOXML file, a remote attacker could exploit this vulnerability to consume all available CPU resources.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/123699 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2024-20952
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279685 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2024-20918
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279718 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2024-20921
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279734 for the current score.
CVSS Vector:

CVEID:CVE-2024-20919
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high integrity impact.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279785 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2024-20926
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Scripting component could allow a remote attacker to cause high confidentiality impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279716 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-20945
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a local authenticated attacker to cause high confidentiality impact.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279775 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-33850
**DESCRIPTION:**IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 257132.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257132 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-25168
**DESCRIPTION:**Apache Hadoop could allow a local authenticated attacker to execute arbitrary commands on the system, caused by improper input file name validation by the FileUtil.unTar(File, File) API. By sending specially-crafted arguments, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232807 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2018-8029
**DESCRIPTION:**Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system. An attacker could exploit this vulnerability to run arbitrary commands as root user.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161812 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-26612
**DESCRIPTION:**Apache Hadoop for Windows could allow a remote attacker to bypass security restrictions, caused by the use of an unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes by the unTar function. By following symbolic links, an attacker could exploit this vulnerability to write arbitrary files on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223688 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2017-15713
**DESCRIPTION:**Apache Hadoop could allow a remote authenticated attacker to obtain sensitive information. By using a specially-crafted file, a remote attacker could exploit this vulnerability to expose private files.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/138064 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2018-8009
**DESCRIPTION:**Apache Hadoop could could allow a remote attacker to traverse directories on the system. By persuading a victim to extract a specially-crafted ZIP archive containing “dot dot slash” sequences (…/), an attacker could exploit this vulnerability to write to arbitrary files on the system. Note: This vulnerability is known as “Zip-Slip”
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/150617 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:CVE-2014-125087
**DESCRIPTION:**java-xmlbuilder could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the parser in XMLBuilder. By using a specially-crafted XML content, a remote attacker could exploit this vulnerability to read arbitrary files on the server.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247961 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2023-51775
**DESCRIPTION:**jose4j is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted p2c value, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275907 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2013-4002
**DESCRIPTION:**A denial of service vulnerability in the Apache Xerces-J parser used by IBM Java could result in a complete availability impact on the affected system.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/85260 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

CVEID:CVE-2012-0881
**DESCRIPTION:**Apache Xerces2 Java is vulnerable to a denial of service, caused by a flaw in the XML service. By sending a specially crafted message to an XML service, a remote attacker could exploit this vulnerability to consume available CPU resources from the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/134404 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2009-2625
**DESCRIPTION:**Sun Java Runtime Environment (JRE) is vulnerable to a denial of service, caused by an error in Apache Xerces2 Java. A remote attacker could exploit this vulnerability using specially-crafted XML input, to cause the application to enter into an infinite loop and hang.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/53082 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:CVE-2022-23437
**DESCRIPTION:**Apache Xerces2 Java XML Parser is vulnerable to a denial of service, caused by an infinite loop in the XML parser. By persuading a victim to open a specially-crafted XML document payloads, a remote attacker could exploit this vulnerability to consume system resources for prolonged duration.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217982 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-36479
**DESCRIPTION:**Eclipse Jetty could provide weaker than expected security, caused by an errant command quoting flaw in the org.eclipse.jetty.servlets.CGI Servlet. A remote authenticated attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 3.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266435 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N)

**IBM X-Force ID:**220802
**DESCRIPTION:**Apache Hadoop is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by the WebHDFS components. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request using the NameNode and DataNode parameters to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220802 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

**IBM X-Force ID:**220912
**DESCRIPTION:**Apache HttpComponents Client could allow a remote attacker to traverse directories on the system, caused by improper validation of user requests. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view files on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220912 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM Cloud Application Performance Management, Base Private

IBM Cloud Application Performance Management, Advanced Private| 8.1.4|

The vulnerabilities can be remediated by applying the following 8.1.4.0-IBM-APM-SERVER-IF0016 or later server patch to the system where the Cloud APM server is installed: <https://www.ibm.com/support/pages/node/7161673&gt;

The vulnerabilities can be remediated by applying the following 8.1.4.0-IBM-APM-GATEWAY-IF0014 or later Hybrid Gateway patch to the system where the Hybrid Gateway is installed: <https://www.ibm.com/support/pages/node/7161767&gt;

—|—|—

Workarounds and Mitigations

None